Is Woltlab software GDPR compliant?

  • Hi

    I'm looking to launch an international online community and I've been researching the top forum software developers. Considering that this community will be a hobby launched by an individual, not by a company, I want to make sure that I don't have to hire a lawyer to take care of the GDPR aspects. I would like to know if Woltlab provides clients with tools that address:

    - the right to erasure (the possibility to delete any member, but retain their posts and threads under an auto-generated "Deleted_member_X" username, where "X" is the member number in the database)

    - the right to data portability (the possibility to generate an XML file containing a member's personal information, including those entered in custom user fields, that the member can download and that can be imported into any other Woltlab forum running the same version as mine

    - the right to be informed (a default GDPR compliant policy page written by Woltlab and displayed as a link in the site header)

    - the right to consent (checkboxes about the terms of service, the privacy policy and receiving news through email, that members have to tick before they can register)

    - the right to understand (a notice about cookies with a link towards a web article explaining what cookies are, and an "I understand and accept" button that users can click only after having clicked the link towards the web article)

    So far, only one of your competitors has these features. Considering that Woltlab is an European company, I expect that you would be more in the know about how to handle GDPR than the guys from the USA.

    Thank you.

    • Offizieller Beitrag

    - the right to erasure (the possibility to delete any member, but retain their posts and threads under an auto-generated "Deleted_member_X" username, where "X" is the member number in the database)

    Users can be deleted via the administration panel (including all personal data). Before deleting, the user can optionally be renamed to anonymize the username in posts.

    - the right to data portability (the possibility to generate an XML file containing a member's personal information, including those entered in custom user fields, that the member can download and that can be imported into any other Woltlab forum running the same version as mine

    With the next update we provide such an export function in the administration panel.

    - the right to be informed (a default GDPR compliant policy page written by Woltlab and displayed as a link in the site header)

    The software includes a GDPR compliant policy page linked in the site footer. You can also add a link to that page in the site header if you want.

    - the right to consent (checkboxes about the terms of service, the privacy policy and receiving news through email, that members have to tick before they can register)

    It is possible to add custom checkboxes in the registration form that members have to tick before they can register.

    - the right to understand (a notice about cookies with a link towards a web article explaining what cookies are, and an "I understand and accept" button that users can click only after having clicked the link towards the web article)

    The software already includes a notice about cookies and a detailed cookie policy page.

  • Thank you. Is there an estimated time for the next version of Woltlab?

    Also, is there any chance you could make a feature that allows admins to enable a cookie message that has to be confirmed in order to access the site? Meaning that clicking anywhere else outside that cookie message box would not make the message box disappear. According to the recent answers from the EU, that would constitute proof that the members gave their consent before using your site.

    Something like this Wikia site has enabled:

    http://ultraimg.com/images/2018/05/24/MZgh.jpg

    Also, can the members retract their consent for using cookies at any time from the cookie policy page?

    • Offizieller Beitrag

    Thank you. Is there an estimated time for the next version of Woltlab?

    The update has already been released two days ago: Patch Day 2018-05-22.

    Also, is there any chance you could make a feature that allows admins to enable a cookie message that has to be confirmed in order to access the site?

    All cookies set by the software by default do not require an explicit consent, because they are not used for any tracking purposes. This is in full compliance with existing privacy laws and the upcoming GDPR.

  • With all due respect, I don't think that Woltlab is taking GDPR very seriously. Even 9gag, which is a website based mostly on posting memes and hosted in Hong Kong, has a very detailed cookies and privacy notification box, with several tabbed sections that explain to the users and to the visitors what they track etc. and provide the users the options of choosing to allow certain types of cookies and blocking other types. And that's a meme website that barely has any user-related information at all.

    http://ultraimg.com/images/2018/05/30/MB6e.jpg

    And you want us to create an online discussions community where people share details about their lives and upload photos of themselves as attachments (or in the gallery) with only a basic cookie policy message that lumps together all types of cookies and doesn't even have an on-site explanation about how they are used, relying instead on a link to an external site that explains about the concept of cookies in general? I'm sorry, but you should really come up with a better GDPR-compliant privacy and cookie notification box. One that does not allow the visitors and members to access the community until they have ticked the "accept" button.

    • Offizieller Beitrag

    Hello Maricruz,

    the usage of cookies for tracking purposes indeed requires more details presented to the visitor and possibly ask for their consent. The point is, that our software does not use any tracking cookies whatsoever, it uses simple session cookies that are required to maintain states between consecutive page visits and that are automatically disposed. Sessions are discarded after 30 minutes of inactivity by default.

    Let's say that there is a fictional law that any home owner with pet animals must set up a warning sign, if they have a dog as a pet animal. In this example, we have just a cat, but you want us to set up a shield "Beware of the dog", because the neighbor, who happens to have a dog, also set one up. We still have a cat and nothing that a third party does is changing this fact whatsoever.

    Laws regarding privacy and cookies are nothing new to us, we're based in Germany which already has very restrictive privacy laws and the GDPR barely introduced something new. Even things like the "right of access by the data subject" (Art. 15, GDPR) is similar to Art 27, 28, 29, 30, and 34 of the BDSG (Federal Data Protection Act, Germany).

    Essentially, there are two types of cookies that matter:

    1. Session Cookies
    2. Tracking Cookies

    The first type, session cookies, work-around the limitation of HTTP requests that are by definition state-less, i. e. the webserver (and the software running on it) has no reliable way to identify visitors, meaning that two successive requests are effectively unrelated. Session cookies change this by asking the client to provide a small snippet of data to the server on every request, allowing it to recognize you between requests. Without these cookies, you would log-in to the site and whenever you click on another link on the same site, you would be logged-out again.

    These session cookies are similar to post-it notes for peoples with Alzheimer's desease as pictured in countless tv series and films, effectively remining the webserver who the visitor is. After 30 minutes of inactivity this post-it note is destroyed forever and the software cannot recognize it by any means - in fact it doesn't even care.

    Tracking cookies on the other hand are much different, they are meant to recognize users even after many days and they are used to keep track of exactly what you do. Which links you click, what you have done before and what you have done afterwards, effectively creating a profile. These type of cookies are collecting personal data by keeping track of every step of your activity.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!